Towards a moderately paranoid Debian laptop setup [Update]

I was planning to set up my laptop from scratch for a while now... so I did.

Preparation

First, go home. No, really! Do all of this at home in a non-hostile, firewalled network. You don't want to be in a crowded place such as a conference where people can shoulder-surf your passwords, nor do you want your network traffic sniffed or MITM'd in a hostile network.

Backup all your data! You'll be wiping your whole drive soon, so make sure you have recent, tested backups.

Get the most recent Debian-installer ISO image (currently etch-beta3), as well as the MD5SUMS and MD5SUMS.sign files:
wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/debian-testing-i386-binary-1.iso
wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/MD5SUMS
wget http://cdimage.debian.org/cdimage/etch_di_beta3/i386/iso-cd/MD5SUMS.sign

Run gpg --verify MD5SUMS.sign, which will fail but tell you the signing key ID (88C7C1F7 in this case). Get the key and re-run the verification: gpg --recv-key --keyserver subkeys.pgp.net 88C7C1F7 && gpg --verify MD5SUMS.sign. The output should now say "Good signature from [...]".

BIOS

Set a good BIOS boot password (which you need to boot any OS). Set a (different) good BIOS boot setup password (which you need to enter the BIOS).

Disable all boot possibilities in the BIOS, except for CD-ROM. This means it should not be possible to boot via USB, hard drive, network, PXE, Firewire, floppy, whatever. The BIOS setup password helps to prevent tampering with this setting.

Finally, never rely on BIOS passwords alone for security! They can often be circumvented very easily.

Installation / Setting up full-disk encryption using dm-crypt

Insert the installer CD and boot in expert-mode (don't hit ENTER when you boot, but rather type "expert").

As for networking: select "Do not configure the network at this time". We'll fix and enable networking later.

Partitioning:

Select manual partitioning. Remove all partitions (if any). Create a 100 MB /boot (ext3) as primary partition, and make the rest of the hard drive one huge partition which has "Use as:" set to "physical volume for encryption".

After the erasing is done (this is important!), use the whole encrypted space as "physical volume for LVM". Then select "Configure the Logical Volume Manager". Create one big volume group and a bunch of logical volumes for the various partitions we'll use (lv-root, lv-usr, lv-var, lv-tmp, lv-swap, lv-home).

It is extremely important that your swap space is encrypted (in this case it is, as all partitions except for /boot reside on a dm-crypt device)! Never set up unencrypted swap!

Choose a good root password, and a (different) good user password. Don't enter a full name for the user.

Choose the latest kernel (old kernels might have security issues). Do not participate in popcon.

Do not install any tasks (no "desktop", no "base system"). We want the smallest installation possible, and add only the packages we really need. Fewer packages means fewer security issues (statistically).

That's it. Eject the CD-ROM, reboot, change the BIOS to only allow booting from hard drive.

Post-installation tasks

Enter the USB thumb drive, copy all config-files to /root and /home/uwe. Log out and log in again to make ~/.bashrc and ~/.inputrc take effect.

Fix the GRUB configuration. Replace the "password foo" line (which contains the GRUB password in plain-text) from your /boot/grub/menu.lst with a "password --md5 $1$1234567890..." line, where the MD5 hash ($1$1234567890...) can be generated with grub-md5-crypt. Additionally, add such a password line after each "title" line in the GRUB config-file, so that nobody can boot any OS installed on the laptop without a password!

Networking, Upgrading and Apt-secure

Now that we have a small, hardened system, it should be reasonably safe to enable networking. Add this to /etc/network/interfaces:

auto eth0
iface eth0 inet dhcp
pre-up /etc/rc.boot/fw_laptop

Run /etc/init.d/networking restart. The firewall script will run every time the network is started.

Now add this (tweak as you see fit) to /etc/apt/sources.list:
deb http://ftp.de.debian.org/debian unstable main
deb-src http://ftp.de.debian.org/debian unstable main

Time for upgrading: apt-get update && apt-get dist-upgrade. All packages are GnuPG-signed and will be verified by Apt. The installer already ships the required key (for 2006), so everything should just work. Still, you should read about SecureApt.

Install the rest of your system now, and restore your data from backups.

Use sysv-rc-conf to disable all daemons you don't want to start per default: sysv-rc-conf foo off.

Install and set up Samhain (or any other file integrity checker): apt-get install samhain. You want to be notified if your system files are being tampered with (e.g. replaced by a rootkit).

Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line to enable SELinux upon booting.

In /etc/pam.d/login uncomment the "session required pam_selinux.so multiple" line. Do the same in /etc/pam.d/ssh if you have ssh installed.

In /etc/default/rcS set FSCKFIX=yes.

In /etc/init.d/bootmisc.sh search for "Update motd" and comment the two lines below that line. Then rm /var/run/motd.

If you have exim installed, you must either install postfix or write an exim policy, as none currently exists. But even postfix needs some fixing (no pun intended ;-). Disable chroot-support (change all "chroot" fields to "n" in /etc/postfix/master.cf and execute echo 'SYNC_CHROOT="n" >> /etc/default/postfix').

Use check-selinux-installation to check for common SELinux problems on Debian (such as the above mentioned).

Done. You should now have a working SELinux system. If no critical audit errors appear and you feel comfortable with SELinux, enable enforcing mode via setenforce 1 or by adding enforcing=1 to the kernel command line in /boot/grub/menu.lst.

Behaviour

Never leave your laptop unattended!

Always lock your terminal (using vlock) when you move more than 30 cm away from the laptop!

Don't run insecure and/or closed-source software (which you can never trust!). No NVIDIA/ATI drivers, no VMware, no Google Earth, no Flash Plugin (except for Gnash maybe), no Adobe Acrobat. You get the idea.

Keep the number of installed packages small and try to configure each of them as secure as possible.

Never enable networking or WLAN or Bluetooth if you don't absolutely have to.

Trust no one. Don't let other people use you laptop, don't give out shell accounts.

Further ideas

The /boot partition is still unencrypted, so an attacker can tamper with it. Boot from a CD-R, forbid booting from hard drive (BIOS). Sign/mark the CD-R physically, so you'll know when someone replaced your CD-R with his own, back-doored one.

Hi. I got a question. I tried following what you said about putting a password under every title in the menu.list then upon reboot it does seems to put security having to type the password first before you can login to whatever OS installed in your box. But how come I can edit the menu list and delete the line with the password and successfully boot the box before typing the password? Does it suppose to do that? Isn't the password suppose to prevent access to your box? Or, did I miss something?

Consider filling your laptop with epoxy for a more difficult physical access (but I guess this would result in overheating problems)
For me, encrypting home + swap is enough. I just came to your site to figure out how I can block the firewire DMA access.

But if I ever need a PC for developing my world dominion plans, I will come back to your HOWTO.

It should be noted that, unless the machine has been powered OFF (or hibernated, not suspended) for at least several minutes, it is possible for a determined attacker to overcome any disk encryption by cooling/freezing the RAM modules, transferring them to a different machine and looking for the disk encryption (session) key.

This will obviously render all the nice paranoid tactics void. So make sure you don't leave your machine unattended in a hostile environment unless it has been powered down for at least a few minutes (a few more in winter :-).

hmmm... putting the partition and passphrase on a cdrom is probably a bad idea. But is it much different than having the passphrase on a usb stick? I think having some kind of way to read a passphrase from somewhere besides the keyboard would be a good thing. Entering a 20 character passphrase on a laptop seems a bit impractical but automatically reading it from somewhere does not. Do you know if there are any plans to support this sort of thing in the future. If it's not a horrible idea (or a less than good one), it would nice to see in the debian installer.

I did something akin to this, though the easier way I think. Installed debian from a netinst CD to a USB stick. Made an unencrypted boot partition and an encrypted partition, using LVM. Installed the system to it.

Tanks for the vital info about selinux installation.
But on the current debian sid I got a little problem with the motd check of the check-selinux-installation script. Now it checks /etc/default/rcS for the variable EDITMOTD=no.
I added this line in addition to the recommended steps in your tutorial.
So it passes the test and avoids a misleading error message.
Maybe this will be helpful for other selinux users.

I have just try it when reinstalling my workstation, but I got a problem in the first steps.

I created a big partition on my disk for use as "physical volume for encryption" then in the same menu I did an erase of the data.
The problem is to create an LVM physical volume: I need to change my partition from "physical volume for encryption" to "lvm physical volume"... I can't do an LVM VG on an encrypted volume... or at least I don't understand how to.

To be sure, I reboot on a SystemRescue CD and checked that I can mount my LVs and read its contents.

Okay, I finally found how to do the setup. After creating a partition for encryption, you must go on 'configuration for encryption devices' (or something similar), there you format the partition and define your LUKS passphrase, and finally you can create physical device for LVM on top of this encrypted device.

Now, one remark, it's not possible to create a key for this encrypted partition and to store it on a usb key for example?

For sure, it's possible to store encryption keys on an usb key. I use it on my ubuntu laptop with a /home encrypted and an automatic decryption/encryption when inserting/retrieving my key (udev rule). But i'm using dm-crypt without Luks...
For the Debian installer, it seems to not be possible (only passphrase and random key which I don't understand how it works (where is it stored?)), I'll fill a bug/wish :)

And to be honest I wouldn't attempt it, even if it was possible somehow. This is a major undertaking so you definately want a full backup of all your data on some external medium. Otherwise, if something goes wrong you're in big trouble...

Actually, no. I've never used suspend. I'm not sure if it's possible to use it with disk encryption.

Anyways, if you just encrypt your /home you still leak a lot of information you probably don't want to. At a minimum, I'd also encrypt swap. You can find GPG keys, ssh keys, root passwords and all kinds of other stuff in swap space, so this is an absolute must!

Regarding BIOS passwords, they aren't much use. I prefer to have machines boot without a BIOS password to prevent them from locking me out. A password for BIOS setup is useful.

I prefer to encrypt on a per-partition basis. I encrypt swap with a random key which is discarded. Some partitions don't have secret data and don't need encryption (mount with noexec,nodev).

I don't think that read-only filesystems provide any security benefits. As a general rule the access level required to write to the files in question is the same as that required to remount the filesystem.

USB devices work well for booting laptops and will fit into your pocket much more easily than CD-ROMs. Laptops from the Pentium2-600 days claimed to support booting from USB but unfortunately it seems that laptops with USB-2.0 support are needed for this.

Disabling USB drivers is a good idea. Is there a convenient way of disabling all USB drivers other than the mass-storage driver which is needed for updating the boot device?

As has been suggested a USB device for logging in is a good idea.

Finally I think that Xen is a good option for sand boxes, maybe not as secure as QEMU though. If you want a really secure sandbox then a S/390 installation running under Hercules will work well (I know someone who does this).

I personally like BIOS passwords. They add another barrier. A rather weak one, but it's better than nothing.

As for read-only file systems, you're probably right. SELinux should provide most (probably even more) "features" you gain from read-only file systems.

USB thumb drives are nice if you can boot from USB, but my main problem with them is that they're not read-only. As for CD-ROMs I plan to use the small ones which only hold 200 MB or so (not sure what they're called). They should be small enough to be carried in your pocket.

Disabling USB drivers is probably not easily possible with the stock Debian kernel. I'd compile a custom kernel (or re-compile the Debian kernel) which doesn't have any USB modules, and only USB mass storage compiled in.

A USB thumb drive with (parts of) a key file would be a nice addition. Something like that could enable you to use two-factor authentication (password + key on USB thumb drive; neither one is sufficient, both are required).

I didn't know about Hercules, but it sounds pretty interesting so I'll check it out (but more for esoterical reasons :) How or why is Hercules more secure than Xen or QEMU for sandboxing?